Posts Tagged ‘Spam Investigations’

I’m so sorry, web …

Wednesday, December 21st, 2016

… I had to install an ad-blocker. Why? Firefox before any ad block:

Screenshot 2016-12-21 21.08.19.png

Firefox after Adblock Plus:

Screenshot 2016-12-21 21.08.55.png

Yep, Firefox was TEN TIMES SLOWER when loading a page with ads, and it stayed that way because the ads kept updating. Just one page with ads brought FF to its knees, and I did the experiment several times to confirm, yes, it indeed was the ads. I don’t know what’s specifically going on here, but I strongly suspect VPAID ads and similar protocols are the culprit, as documented here:

http://techaeris.com/2016/06/14/vpaid-ads-hurting-internet-experience/

… publisher and website owner Artem Russakovskii took to Google+ and The Hacker News to share some of his findings concerning VPAID ads. He shows how VPAID ads can degrade a user’s browser performance:

“… after several minutes of just leaving this one single ad open, I’m at 53MB downloaded and 5559 requests. By the time I finished typing this, I was at 6140 requests. A single ad did this. Without reloading the page, just leaving it open.

A single VPAID ad absolutely demolishes site performance on mobile and desktop, and we, the publishers, get the full blame from our readers. And when multiple VPAID ads end up getting served on the same page… you get the idea.”

Similarly, John Gruber reports that a 500-word text article weighed in at 15MB – enough data to hold more than 10 copies of the Bible, according to the Guardian. Gruber links another post which shows that web pages can get more than 5 times faster without all the excess scripts that they load.

The sad thing is, I don’t mind ads. The very first version of my site had fake “ads” for other blogs I liked. Even the site I tested above, the estimable Questionable Content, had ads for other webcomics I liked, but experimentation showed that ads could bring Firefox to its knees. QC I always thought of as ad-lite, but guess it’s time to start contributing via Patreon.

The real problem is news sites. Sites were opening a simple story kept locking up Firefox and twice brought down my whole computer by draining the battery incredibly fast. I don’t care what you think your metrics are telling you, folks: if you pop up an overview so I can’t see your page, and start running a dozen ads that kill my computer, I will adblock you, or just stop going to your site, and many, many other people across the world are doing the same.

We need standards of excellence in content that say 2/3 of a page will be devoted to content and that ads can add no more than 50% to the bandwidth downloaded by a page. Hell, make it only 1/3 content and 100% extra bandwidth – that will be almost 100% more content than a page totally destroyed by popup ads and almost 3000% less data than one bloated by 10 copies of the Old Testament in the form of redundant ads for products I will either never buy or, worse, have already bought.

-the Centaur

Obfuscated

Saturday, March 5th, 2016

Screenshot 2016-03-05 15.03.58.png

Yeah, that goop someone injected into my Dakota Frost site doesn’t look suspicious at all.

(In case you’re not a programmer, healthy code doesn’t look like that. This code has been munged and rewritten so it’s almost impossible to see what it does. Not that I care – I just deleted it. But it makes it hard for someone who needs to debug it, in the cases where you need to debug it.)

Sheesh. Get off my lawn. Still cleaning things up. More in a bit.

-the Centaur

So it was a hacked .htaccess…

Friday, March 4th, 2016

hacked-htaccess.png

So, the Dakota Frost site got hacked. May still be hacked, for all I know, because I just found and eliminated only one error, and I still haven’t found out how they got in. Of course, I changed all my passwords everywhere else first before logging into the site, confirming no-one had hacked the user accounts, and then downloading all the code for some forensics.

But what was peculiar was that, even though I could clearly see evidence of hackery thanks to the very nice, publicly available Webmaster tools at the Google, I could not see any difference between the live site and my previous backup except for the addition of the Akismet spam filter, which I’m pretty sure I did myself.

Then I found it, when I detected a strange file named kgcakmhg.php. Tracing it back, in the root of the HTML directory, someone had modified files back in February – first to point the .htaccess to a strange file named baccus-contextually.php, which called the weirdly named file and also relied on changes to the style directory. No changes to the blog code were necessary – everything was being rewritten before it got there.

Removing those files? Easy. Site’s back to normal … I guess. Closing the open barn door? Uh …harder. Since I don’t know which door they came through.

Off to do more debugging …

-the Centaur

So, dakotafrost.com has been hacked

Friday, March 4th, 2016

20160304_185447.jpg

So, yeah. I’ve lost sites to hacks before – the wiki on dresan.net, which I barely used – but those were obvious. This one is a subtle hack, not immediately visible, detected by the supercomputers at the Google. Will take a bit of effort to work this one out.

You see disruption here, you know why.

Sigh.

-the Centaur

Asymmetric Warfare

Monday, August 20th, 2012

Offered without further comment, as part of the series Spam Investigations, because, looking back on that history, I’ve commented on this before.

-the Centaur

Is Spam out of Control?

Saturday, March 3rd, 2012

I don’t know, you tell me.

According to reports, somewhere between 75% and 90% of all email is spam, and if I read the numbers right, over 99.5% of all comments on this rather minor blog are spam.

Yeah. That’s extraordinary. That beats it all.

-the Centaur

The Spammers Are Getting Snarky

Friday, July 8th, 2011

They’ve tried flattery, they’ve tried clever links … now they’re trying humiliation:

The following time I read a blog, I hope that it doesnt disappoint me as much as this one. I mean, I do know it was my option to read, but I really thought youd have something fascinating to say. All I hear is a bunch of whining about one thing that you would fix in case you werent too busy in search of attention.

Too bad this comment was posted on an image ATTACHMENT. 😛 So there was no whining to comment on. Even if I follow the comment back to the article, it was about the importance of not whining when things go bad and moving on with your life. Tracing back the link revealed that no, there was no real person behind this: there was an apparently fake blog that was actually an invitation to some kind of ad network. Apparently they keyword matched the text of my article with the comment in an attempt to get some attention.

So: nice try, but bad spammer, no backlink.

-the Centaur

In more detail, my methodology: my moderation software asked me about this comment. The comment was not obviously related to an article and was badly written, so I drilled through to the referenced post and found it was an attachment. It’s entirely possible that someone clicked on the parent article, which did reference whining, then clicked on an attachment in an attempt to post an irritated comment. But the person’s email address was for an ad network, the linked-to-blog seemed to have unrelated articles, and on my second visit to the blog the ad network tried to take over my whole screen (yay Google Chrome for saving me!). People don’t generally have email addresses that are the same as spam networks, so I classified the comment as spam. It was a new kind of spam, so I’m posting about it.

UPDATE: Ooo, ooo, I forgot the best part of the methodology: do a search for a long phrase in the spam to see how often it appears on the internet. You can’t do too long – the spammer may be using software that introduces slight word variations – but if it’s long enough to be unique and it still shows up everywhere, you’re virtually guaranteed the comment is spam. I don’t care how repetitive a commenter is, nobody is going to write “The following time I read a blog, I hope that it doesnt disappoint me as much as this one” on “About 847,000” pages, according to Google.

We Heed Not Flatterers…

Wednesday, August 11th, 2010

… especially the spammy kind. Let’s do a little naturalistic analysis, a little data collecting, shall we?

  • Maintain up the beneficial work mate. This website publish shows how well you comprehend and know this subject.
    -Mr. “Traffic Generation Promotion”
  • I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success.
    -Mrs. “How Men Date”
  • hi very good blog here, you can list it on our site for more views
    -Mr. “Ads Classifieds”
  • This is a really good read for me, Must admit that you are one of the best bloggers I ever saw.Thanks for posting this informative article.
    -Miss “Belly Fat Burner”
  • Unbelievable, that’s exactly what I was seeking for! You just saved me alot of work
    -Sir “Miles the Car Guy”
  • I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success.
    -Ms. “Refinance Loan”

What are the keys? Lack of grammatical or logical sense, not apropos to the articles, text repeated over and over again from different posters, names that are obvious commercial scams, sites that are obvious commercial scams … and some that are bizarre cries for help from deep within The Algorithm:

Why did you remove my post… My post was actually useful unlike most of these comments. Ill post it again. Hiya guys, I spottet a great way to make a lot of money online creating blogs. I expect this is primaraly for the website admin but there are probably alot more bloggers reading this. I have already made thousands using the techniques detailed in the product and it has only been 2 months.

Now, there are some that aren’t bad … almost close enough to get you … again, if they didn’t show up again and again, and weren’t posted by “Mister Cheap Free Viagra Guy” at iscamu@suckers.com.

Sigh. Fortunately a friend of mine out here for the Rush concert is a WordPress blogger and keyed me in that I hadn’t enabled Akismet, WordPress’s built in comment spam fighting plugin. Doing that now…

-the Centaur
P.S. What really gets me is that these spam comments are arriving at the blog of someone who actually studies spam. I know The Algorithm doesn’t know that, but still…

Comments … STILL Moderated

Monday, July 26th, 2010

Um, automatic robot gang, I just have to tell you: the following scheme doesn’t work well for comment spam:

Hi! Just checkd out your site! Keep up teh good information. Very nice work? Do it youself?! Very relevant to me, we also have a community with theme similar on similar information. Is Blogger the WordPress?
Ima Spammer
http://cheapfreeviagra.malware.org/

Especially if there’s no relationship between the salsa of text and the post. I mean, come on, if you’re going to comment on my WordPress theme don’t do it on the Pound Cake Alchemy post.

8 more spammy comments … marked as spam.
-the Centaur

Anonymous Commenting Disabled

Sunday, March 14th, 2010

who gave me this dang thing

Sorry, commenters, but the signal-to-noise ratio of anonymous comments was approaching zero. 🙁 It was getting to the point I almost rejected some real though short comments because they were looking like the spam comments I was getting – I apologize if I dinged a real person by accident. But when you don’t know who’s sending a gift, you never know what’s inside the wrapper.

-the Centaur

Pictured is my cousin Bryan Norman, receiving a joke gift of a mailbox at last Christmas’s White Elephant gift exchange – though I dispute the Wikipedia article, I lived 38 years in the Southeastern United States and never heard it called a “Yankee swap” – always “White Elephant” or the less-politically-correct “Chinese Christmas”.